Commit graph

429 commits

Author SHA1 Message Date
Alessio Greggi
97b4d79ed5
feat: make kubernetes owner parametrized (#8952)
* feat: make kubernetes owner parametrized

* docs: update hardening guide with configuration for CIS 1.1.19

* fix: set etcd data directory permissions to be compliant to CIS 1.1.12
2022-06-17 01:34:32 -07:00
Calin Cristian Andrei
24c8ba832a [kubernetes] drop support for configuring insecure apiserver 2022-06-15 00:57:20 -07:00
Calin Cristian Andrei
ae1dcb031f [kubernetes] drop pre 1.22.0 workarounds 2022-06-15 00:57:20 -07:00
Calin Cristian Andrei
d69d4a8303 [kubernetes] make 1.24.1 the new default 2022-06-15 00:57:20 -07:00
emiran-orange
8f618ab408
Fix condition on kata_containers_version/kube_version when kata_containers_enabled is false (#8804) 2022-05-09 14:56:32 -07:00
Elif Akyıldırım
0d6ea85167
Assert that IP range is enough for the nodes (#8720)
* Assert that IP range is enough for the nodes 

Co-authored-by: Necatican Yıldırım <necaticanyildirim@gmail.com>

* Fixed whitespace

* Fixed errors

* Fixed errors

Co-authored-by: Necatican Yıldırım <necaticanyildirim@gmail.com>
2022-05-05 08:48:20 -07:00
Victor Morales
e7e5037a86
Add a container_manager validation (#8785) 2022-05-04 23:58:19 -07:00
Cristian Calin
45262da726
[calico] call calico checks early on to prevent altering the cluster with bad configuration (#8707) 2022-04-14 01:08:46 -07:00
Julien Le Fur
30306d6ec7
Enable external CA mode for control-plane deployment (#8620) 2022-04-12 05:47:23 -07:00
Unai Arríen
19d5a1c7c3
Ensure all Kubelet required kernel values are configured when enabling protectKernelDefaults (#8692) 2022-04-07 08:33:59 -07:00
Kenichi Omichi
503ab0f722
Run 0100-dhclient-hooks if dhcpclient is enabled (#8658)
If running Kubespray on static IP environments, a task was failed like:

  TASK [kubernetes/preinstall : Configure dhclient hooks for resolv.conf (RH-only)]
  fatal: [ak8s2]: FAILED! => {
    "changed": false, "checksum": "..",
    "msg": "Destination directory /etc/dhcp/dhclient.d does not exist"}

This adds a check for dhclientconffile for running 0100-dhclient-hooks to
run the task only if dhcpclient is enabled.
2022-03-29 00:11:11 -07:00
Cristian Calin
fa9f85c7e9
[sysctl] set fs.may_detach_mounts=1 even when CRIs don't set it themselves (#8635) 2022-03-21 17:36:13 -07:00
Cristian Calin
dd2d95ecdf
[calico] don't enable ipip encapsulation by default and use vxlan in CI (#8434)
* [calico] make vxlan encapsulation the default

* don't enable ipip encapsulation by default
* set calico_network_backend by default to vxlan
* update sample inventory and documentation

* [CI] pin default calico parameters for upgrade tests to ensure proper upgrade

* [CI] improve netchecker connectivity testing

* [CI] show logs for tests

* [calico] tweak task name

* [CI] Don't run the provisioner from vagrant since we run it in testcases_run.sh

* [CI] move kube-router tests to vagrant to avoid network connectivity issues during netchecker check

* service proxy mode still fails connectivity tests so keeping it manual mode

* [kube-router] account for containerd use-case
2022-03-17 18:05:39 -07:00
Mac Chaffee
b554246502
Fix host DNS config 1) being edited too soon and 2) not working with NM (#8575)
Signed-off-by: Mac Chaffee <me@macchaffee.com>
2022-02-26 10:29:23 -08:00
Necatican Yıldırım
e9c8913248
Add kubeadm option to etcd_deployment_type to replace the etcd_kubeadm_enabled variable (#8317)
* Add kubeadm option to etcd_deployment_type to replace the etcd_kubeadm_enabled variable

Signed-off-by: necatican <necaticanyildirim@gmail.com>

* Add etcd kubeadm deployment documentation

Signed-off-by: necatican <necaticanyildirim@gmail.com>

* Refactor warning for the deprecated 'etcd_kubeadm_enabled' variable

Signed-off-by: necatican <necaticanyildirim@gmail.com>
2022-02-22 08:53:16 -08:00
Michael Schmitz
eacd55fbca
Use sysctl_file_path variable for all sysctl_file locations (#8395)
* Use sysctl_file_path variable for all sysctl_file locations

* Add sysctl_file_path variable to kubespay-defaults

* Remove previously used sysctl file locations if present

* Use explicit filename in roles/kubernetes/node/defaults/main.yml

* Defaults: use explicit value
2022-02-01 08:12:10 -08:00
Samuel Liu
b2b95cc8f9
fix 0090-etchosts (#7634) 2022-01-11 01:03:16 -08:00
Romain ALBON
63a53c79d0
Fix - Search root filesystem device (#8366) 2022-01-04 06:48:52 -08:00
Florian Ruynat
841c61aaa1
Revert "Fix external lb error (#8299)" (#8360)
This reverts commit 4f2e4524b8.
2022-01-03 01:37:00 -08:00
singeleaf
4f2e4524b8
Fix external lb error (#8299) 2021-12-13 14:46:27 -08:00
Cristian Calin
682c8a59c2
containerd: change default resolvconf_mode to host_resolvconf (#8247)
* containerd: change default resolvconf_mode to host_resolvconf

* Wait for kube-apiserver to come back after pod refresh

* Handle resolv.conf gracefully

* Retain currently configured DNS entries to ensure we don't break the resolvers

* Suse uses wickedd for network management so no dhcp hooks

* Molecule: increase ansible timeout

* CI: Increase ansible timeout to 120s for Packet jobs
2021-12-09 14:09:06 -08:00
Cristian Calin
990ca38d21
Kata-Containers: add 2.3.0 (#8276)
* Kata-Containers: add checksums for 2.3.0

* Kata-Containers: version 2.3.0 requires kubernetes 1.22.0+
2021-12-07 08:18:08 -08:00
Alvaro Campesino
30d9882851
Add nodelocaldns only if it is enabled (#7731) 2021-12-03 20:36:31 -08:00
Florian Ruynat
e19ce27352
Remove ovn4nfv support (#8265) 2021-12-03 11:56:35 -08:00
Cristian Calin
ee882fa462
Add capability to use swap, requires Kube 1.22 (#8241)
* Alpha-NodeSwap: allow nodes to use swap

* CI: Add Fedora 35 with experimental swap job
2021-11-30 00:52:56 -08:00
Florian Ruynat
a5f88e14d0
Cleanup tests (#8234)
* Add Fedora 35 image, support and CI

* Cleanup tests and allow_failure for vagrant
2021-11-26 09:00:51 -08:00
EDGsheryl
4d79a55904
Remove extra parameter kube_proxy_remove (#8158)
Signed-off-by: EDGsheryl <edgsheryl@gmail.com>
2021-11-15 00:02:48 -08:00
Kenichi Omichi
cb7c30a4f1
Fix cloud_provider check (#8164)
This fixes the preinstall check for cloud_provider option based on
inventory/sample/group_vars/all/all.yml
2021-11-07 23:48:52 -08:00
Gheorghe Isak
16bdb3fe51
set check_mode to false (#8133) 2021-10-26 19:36:37 -07:00
Omar Aloraini
6aac59394e
Rocky Linux support (#8095)
* Add Rocky as a known OS

* Make sure Rocky includes bootstrap-centos.yml

* Update docs with Rocky Linux

* Rocky Linux wireguard and EPEL

* Rocky Linux in the list of supported distributions
2021-10-19 08:29:04 -07:00
Iago Santos
43958614e3
Fix kubespray flatcar ansible_os_family and ansible_distribution (#8029)
Closes https://github.com/kubernetes-sigs/kubespray/issues/8028

Signed-off-by: Iago Santos <iago.santos.pardo@adfinis.com>
2021-10-01 09:11:23 -07:00
Marcos Lorenzo
4c5328fd1f
Determine root filesistem device and partition before running growpart (#8024) 2021-09-27 23:58:42 -07:00
Victor Morales
432a312a35
Enable stable and edge containerd versions (#8020) 2021-09-27 08:11:35 -07:00
Cristian Calin
a517a8db01
Drop chech for kubelet_shutdown_grace_period (#7993)
and kubelet_shutdown_grace_period_critical_pods as ansible cannot do
sane time interval calculations
2021-09-21 18:34:00 -07:00
Cristian Calin
6f7911264f
Calico: make calico_min_version check relevant (#7939)
* Calico: make calico_min_version check relevant

* Calico: only check currently installed version against the oldest supported version by the previous release
2021-09-20 07:58:09 -07:00
Cristian Calin
d57ddf0be8
Feature DynamicKubeletConfig is deprecated in 1.22 and will not move to GA (#7938)
* Feature DynamicKubeletConfig is deprecated in 1.22 and will not move to GA

* Add check for dynamic_kubelet_configuration with kube >= 1.22
2021-09-07 10:47:16 -07:00
Daniil Muidinov
7f309bb092
fix parameters for module replace in 0060-resolvconf (#7858) 2021-08-10 17:13:26 -07:00
Cristian Calin
7516fe142f
Move to Ansible 3.4.0 (#7672)
* Ansible: move to Ansible 3.4.0 which uses ansible-base 2.10.10

* Docs: add a note about ansible upgrade post 2.9.x

* CI: ensure ansible is removed before ansible 3.x is installed to avoid pip failures

* Ansible: use newer ansible-lint

* Fix ansible-lint 5.0.11 found issues

* syntax issues
* risky-file-permissions
* var-naming
* role-name
* molecule tests

* Mitogen: use 0.3.0rc1 which adds support for ansible 2.10+

* Pin ansible-base to 2.10.11 to get package fix on RHEL8
2021-07-12 00:00:47 -07:00
Cristian Calin
a3e34f589a
Enable Graceful Node Shutdown for Kubernetes >= 1.21.0 (#7746)
* Enable Graceful Node Shutdown for Kubernetes >= 1.21.0

* Add sample graceful shutdown parameters
2021-06-27 23:53:25 -07:00
Cristian Calin
282a27a07c
gVisor: initial support for gVisor container runtime (#7661)
* Docker/Containerd: move downloads urls to containerd-common

* gVisor: initial support for gVisor container runtime
2021-06-21 05:18:51 -07:00
Cristian Calin
ec0c0d4a28
Calico enable support for eBPF (#7618)
* Calico: align manifests with upstream

* allow enabling typha prometheus metrics

* Calico: enable eBPF support

* manage the kubernetes-services-endpoint configmap

* Calico: document the use of eBPF dataplane

* Calico: improve checks before deployment

* enforce disabling kube-proxy when using eBPF dataplane
* ensure calico_version is supported
2021-06-07 04:58:39 -07:00
Pavel Martynov
29c2fbdbc1
Fix cloud_resolver type from str to list (issue #7605) (#7606) 2021-05-18 06:41:30 -07:00
Cristian Calin
63cec45597
Add Amazon to the check for supported distributions (#7589) 2021-05-10 16:17:36 -07:00
Cristian Calin
360aff4a57
Rename ansible groups to use _ instead of - (#7552)
* rename ansible groups to use _ instead of -

k8s-cluster -> k8s_cluster
k8s-node -> k8s_node
calico-rr -> calico_rr
no-floating -> no_floating

Note: kube-node,k8s-cluster groups in upgrade CI
      need clean-up after v2.16 is tagged

* ensure old groups are mapped to the new ones
2021-04-29 05:20:50 -07:00
Sergey
d26191373a
add default empty value for etc_hosts_localhosts_dict_target (#7567) 2021-04-28 11:34:50 -07:00
Florian Ruynat
c16efc9ab8
Fix Opensuse not working with ansible_distribution (#7551) 2021-04-26 08:37:02 -07:00
Cristian Calin
73db44b00c
Initial AlmaLinux support (#7538)
* AlmaLinux: ansible>2.9.19 is needed to know about AlmaLinux

* AlmaLinux: identify as a centos derrivative

* AlmaLinux: add AlmaLinux to checks for CentOS

* Use ansible_os_family to compare family and not distribution
2021-04-22 23:50:03 -07:00
emiran-orange
d56ac216f4
Use kubeadm_feature_gates instead of kube_feature_gates to leverage kubeadm feature gates and not to interfere with k8s components feature gates (#7447) 2021-04-12 01:05:59 -07:00
Florian Ruynat
bef1e628ac
Fix issue with 'latest' in containerd version (#7459) 2021-04-07 08:33:53 -07:00
Florian Ruynat
6479e26904
Replace deprecated 'with_dict' with 'loop' (#7442) 2021-04-05 13:45:19 -07:00